Upgrade jackson to latest compatible with play 2.8.x framework

[nimatrueway]

There is high-level vulnerability reported for jackson 2.10.x which this PR intends to address.

Play-framework 2.8.8 already pulls in Jackson library version 2.11.4 on top of play-json 2.8.1 (overrides jackson version in the application), so a testament that play-json 2.8.1 is already compatible with Jackson 2.11.4.

[SethTisue]

LGTM, but I'd be more comfortable with an approval from @mkurz or @octonato

[octonato]

@nimatrueway, I just realised that the master branch of this project is already using Jackson 2.11.4 and that you sent a PR to the 2.8.x branch. Any reason why are you still on version 2.8 of play-json?

I don't think we will cut a new release for 2.8.x branch. It's easier to move to 2.9 instead. Also, Play 2.8 does use play-json 2.9.2 and Jackson 2.11.4.

Dismissing my own approval as I don't think we will cut a new release of 2.8.x branch. Users should move to 2.9.2 instead.

[nimatrueway]

@octonato if playframework releases a play 2.8.x that uses play-json 2.10.x then I agree that there is no justification for this PR.

In current situation, other library developers, in order to address vulnerability audit alerts (that catch the outdated Jackson library pulled in as a dependency of play-json) have two choices:

• Use play-json 2.10.x; which creates a risk of breaking application for those users that use it inside a play-framework based application (even the latest version of play framework stayed with play-json 2.8.x).
• Override Jackson library to a higher minor version when they use play-json 2.8.x; which is what playframework does now.

We in Hootsuite are likely go with option 2 if this PR gets rejected, however I thought you folks could consider this as a safe patch update for play-json 2.8.x given the fact that playframework already overrides Jackson version and play-json still works fine.

[jtjeferreira]

Hi!

I am also strugling with some play/play-json/jackson/etc dependencies. I will fix it by overriding some jackson deps, but I think having a play-json 2.10.0 would also solve my problem. Any ETA for cutting a release?

[octonato]

I'll merge this one. Although I don't think we will cut a release from the 2.8.x branch, but we never now.

[octonato]

@jtjeferreira, no concrete plans, but I think I can cut the 2.10 release. It's just about creating a tag.

[octonato]

I'll merge this one. Although I don't think we will cut a release from the 2.8.x branch, but we never now.

It turns out that we end up cutting a release (2.8.2). I did it yesterday evening and it will be included in upcoming Play 2.8.10.

Thanks @nimatrueway